[Puppet - Bug #1871] (Re-opened) Sensitive information leaked in log reports

Mon, 16 Feb 2009 15:38:26 -0800 

Issue #1871 has been updated by josh.

Status changed from Closed to Re-opened
Affected version changed from 0.24.6 to 0.24.7

This is still an issue in 0.24.7. Here's an example:

*/tmp/test.pp:*
<pre>
file { "/tmp/test.txt":
  content => template("/tmp/test.erb"),
  noop => true
}
</pre>

*/tmp/test.txt:*
<pre>
Good-bye!
</pre>

*/tmp/test.erb:*
<pre>
Hello!
</pre>

*Puppet output:*
<pre>
# puppet test.pp
notice: //File[/tmp/test.txt]/checksum: is 
{md5}d5aeca13b2492cb7ae71178d3e4297a8, should be md5 (noop)
notice: //File[/tmp/test.txt]/content: is Good-bye!
, should be Hello!
 (noop)
#
</pre>

This was tested with Puppet 0.24.7/Ruby 1.8.6 on Solaris 10 (SPARC) and Mac OS 
10.5 (x86).

The log messages are coming from the "go" method in the 
Puppet::Transaction::Change class:

*change.rb:*
<pre>
    def go
        if self.noop?
            @property.log "is %s, should be %s (noop)" % 
[property.is_to_s(@is), property.should_to_s(@should)]
            return [event(:noop)]
        end
</pre>

I'm afraid that I haven't spent enough time with the source code to track this 
any further.
----------------------------------------
Bug #1871: Sensitive information leaked in log reports
http://projects.reductivelabs.com:80/issues/1871

Author: IanTurner
Status: Re-opened
Priority: Normal
Assigned to: 
Category: file
Target version: 
Complexity: Unknown
Affected version: 0.24.7
Keywords: security content source logs


It seems that at the moment, any files mastered through the "content" tag will 
sometimes have their contents reported through the various logging domains, 
either with a diff or with the complete file contents. This does not appear to 
happen with files mastered through the "source" tag.

Since installed files may contain highly sensitive information, such as 
passwords, it should be possible to disable this behavior, either by a change 
for all users or through a configuration directive.



----------------------------------------
You have received this notification because you have either subscribed to it, 
or are involved in it.
To change your notification preferences, please click here: 
http://reductivelabs.com/redmine/my/account

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"Puppet Bugs" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to 
[email protected]
For more options, visit this group at 
http://groups.google.com/group/puppet-bugs?hl=en
-~----------~----~----~----~------~----~------~--~---

Reply via email to